Managing certificates with Google Chrome

Chrome and browser signing

The Chrome developers have been working on adding keygen-support as it was previously present in Mozilla Firefox, Opera and Apple Safari to Chromium.

Chrome 5 seems to support the keygen tag on all major platforms. However, enrollment success feedback is sometimes still suboptimal. But we can use the same mechanisms as for other browsers to support browser certificate enrollment for users running Google Chrome.

At the time of writing this, the Comodo CA could not decode CSRs created by Chrome on MacOS X. As there seems to be a history to this problem and the user base of Chrome on MacOS X is not estimated to be very high, currently this remains unfixed. If you feel very strongly that browser requests should work with Chrome on MacOS X, please drop us a line at tcs-portal-core [at] terena.org. Otherwise it is recommended to use Safari for the time being. Thanks.

Response encoding

A Chromium issue tracks limitiations of the response format. Currently only DER encoding is supported on all platforms with Chrome.

Managing the enrolled certificate (Windows)

Chrome makes use of Windows' certificate management facilities. That means that processed and installed certificates are handled the same way as with Internet Explorer enrollment.

Managing the enrolled certificate (Linux)

Instead of having it's own certificate management facilities, on Linux Google chrome ties into libnss3-tools. See the Chrome documentation on certificate management. On the downside, users will not have a very nice graphical interface to manage their certificates. On the other downside, the certutil command is not very easy to use. On the upside, it is rather powerful.

So after issuing a certificate, it can be checked whether it is present as one of the user's certificates:

Importing the CA certificate (Windows)

Automatic import via the Chrome browser does not work. Instead the certificate has to be downloaded to the harddrive. Opening the browser options, navigating to "Under the hood" and clicking on the "Certificate Management" button, will bring up Windows' integrated certificate management. There the certificate can be imported.

Importing the CA certificate (Linux)

Our friend CertUtil will have to help us with importing again. First we download the CA-cert from the CA section of the portal and then we import it with certutil. -t T,c,c tells cert-util that the certificate can serve as a well CA for client certificates in SSL and is a valid CA for S/MIME and JAR.